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A ROADMAP FOR HACKERS?— DOCUMENTS 
DETAILING HEALTHCARE.GOV SECURITY 
VULNERABILITIES 


Tuesday, January 28, 2014 

House of Representatives, 

Committee on Oversight and Government Reform, 

Washington, D.C. 

The committee met, pursuant to call, at 10:05 a.m., in Room 
2154, Rayburn House Office Building, Hon. Darrell E. Issa [chair- 
man of the committee] presiding. 

Present: Representatives Issa, Mica, Turner, Duncan, Jordan, 
Chaffetz, Walberg, Lankford, Amash, Gosar, Meehan, DesJarlais, 
Gowdy, Farenthold, Massie, Collins, Meadows, Bentivolio, 
DeSantis, Cummings, Maloney, Norton, Tierney, Lynch, Cooper, 
Connolly, Speier, Cartwright, Duckworth, Davis, and Lujan Gris- 
ham. 

Staff Present: Brian Blase, Senior Professional Staff Member; 
Molly Boyl, Deputy General Counsel and Parliamentarian; Law- 
rence J. Brady, Staff Director; Joseph Brazauskas, Counsel; Daniel 
Bucheli, Assistant Clerk; Caitlin Carroll, Press Secretary; Sharon 
Casey, Senior Assistant Clerk; John Cuaderes, Deputy Staff Direc- 
tor; Adam P. Fromm, Director of Member Services and Committee 
Operations; Linda Good, Chief Clerk; Meinan Goto, Professional 
Staff Member; Tyler Grimm, Senior Professional Staff Member; 
Ryan M. Hambleton, Senior Professional Staff Member; Frederick 
Hill, Deputy Staff Director for Communications and Strategy; 
Christopher Hixon, Chief Counsel for Oversight; Michael R. Kiko, 
Legislative Assistant; Mark D. Marin, Deputy Staff Director for 
Oversight; Ashok M. Pinto, Chief Counsel, Investigations; Laura L. 
Rush, Deputy Chief Clerk; Sarah Vance, Assistant Clerk; Peter 
Warren, Legislative Policy Director; Rebecca Watkins, Communica- 
tions Director; Tamara Alexander, Minority Counsel; Susanne 
Sachsman Grooms, Minority Deputy Staff Director/Chief Counsel; 
Jennifer Hoffman, Minority Communications Director; Chris 
Knauer, Minority Senior Investigator; Julia Krieger, Minority New 
Media Press Secretary; Elisa LaNier, Minority Director of Oper- 
ations; Una Lee, Minority Counsel; Juan McCullum, Minority 
Clerk; Dave Rapallo, Minority Staff Director; Valerie Shen, Minor- 
ity Counsel; Mark Stephenson, Minority Director of Legislation; 
and Cecelia Thomas, Minority Counsel. 

Chairman IssA. The committee will come to order. 

The Oversight Committee exists to secure two fundamental prin- 
ciples. First of all, Americans have a right to know what they get 
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from their government and how the money is spent. And second, 
they deserve an efficient, effective government that works for them. 

Our duty on the Oversight and Government Reform Committee 
is to protect these rights. Our solemn responsibility is to hold gov- 
ernment accountable to taxpayers because taxpayers have a right 
to know what they get from their government. Our job is to work 
tirelessly, in partnership with citizen watchdogs, to deliver the 
facts to the American people and bring genuine reform to the Fed- 
eral bureaucracy. 

Before I make my opening statement, it is the chair’s intent to 
go into an executive session in order to protect any items that may 
be disclosed as to vulnerabilities of the Web site that as of today 
may or may not have been fully mitigated. So I would advise all 
staff, members, and the audience that once we go into executive 
session, we will only have cleared personnel. For members it means 
stay here. For staff what it means is that you will be asked to leave 
the room, go back out, sign back in, and be recorded as here. 

Additionally, there are numbered packets for information here at 
your desk. I would admonish all members that these documents 
are not to be removed. They are committee documents, but they are 
not personal documents. So you may use them and read them here 
during the session, they will be available to members and des- 
ignated staff, but not to be removed. No copies are to be made, and 
they are not to be removed. 

Lastly, these are unclassified documents. They have absolutely 
no protection under classification to our knowledge. Notwith- 
standing that, it is our obligation to treat these as potentially sen- 
sitive until on a committee basis we are quite comfortable that re- 
lease would have no adverse effect on the ability of the Web sites 
to remain up and unhacked. 

If there are any questions prior to going to executive session, 
members may ask them, but I advise that they ask staff before- 
hand so that we not waste anyone’s time, since this is not an ordi- 
nary procedure, but a necessary procedure. 

I will now recognize myself for an opening statement. 

Today’s hearing will focus on several remaining questions sur- 
rounding the security of HealthCare.gov. In particular, what secu- 
rity risks and concerns were present when the Obama administra- 
tion decided to launch HealthCare.gov on October 1st; what is 
being done to fix the critical security risk Web site users are poten- 
tially still facing; and what limitations are there on the latest secu- 
rity testing? 

When Americans submit their sensitive personal information to 
HealthCare.gov or, I might add, when government takes sensitive 
information, including your IRS information, and makes it avail- 
able through a Web site to outsiders, they deserve to know that it 
is safe from hackers, bad actors, and security glitches. The possi- 
bility of security breach is not some vague, distant concern. It is 
a real and tangible threat that could affect millions. Private compa- 
nies devote entire departments to bolstering their online security. 
They understand the threat of cyber attack is always present and 
that the consequences of a successful cyber attack can be dev- 
astating. 
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Sadly, the recent security breach at Target, Neiman Marcus, and 
other companies which have resulted in millions of Americans hav- 
ing their credit card information compromised is an illustration of 
just how dangerous an attack can be. 

The Department of Health and Human Services has repeatedly 
assured the American public that their sensitive, personally identi- 
fiable information transmitted by HealthCare.gov is safe and se- 
cure, but because officials authorized the launch of the Web site 
full of functional errors, Americans have deep skepticism that the 
site was, in fact, secure. Indeed, documents obtained by this com- 
mittee by subpoena, around the Health and Human Services, in 
spite of our repeated attempts to get the information from its 
source at Health and Human Services, help the committee show 
that why stopping — security officials at CMS had recommended 
this site be delayed, not launched, or launched only in part, but 
CMS officials went ahead anyway, and it is clear that they knew 
the risk. 

Under current law it is possible to launch a site by simply saying 
that an executive within the administration of the right level has 
the ability to accept the risk. That current law allows an adminis- 
tration official to accept the risk or almost the assurance that 
American people’s personal identifiable information will be com- 
promised. There is no protection against a judgment call that the 
risk of billions of dollars, trillions of dollars, the entire economy 
can, in fact, be waived by an administration official, meaning there 
is no standard other than the acceptance of risk. 

Moreover, 11 weeks after the site is launched, no independent se- 
curity testing was conducted. Contrary to statements made by Sec- 
retary Sebelius at a congressional hearing, independent security 
testing did not resume until December 9, 2013. When testing did 
resume, MITRE, the contractor performing the testing, was unable 
to test half of the functions of the Web site. 

Even with the limited scope of testing, MITRE found a high risk 
that allowed users to access system documents belonging to other 
users, which could result in the exposure of privileged information 
to unauthorized individuals. MITRE Corporation found other seri- 
ous vulnerabilities that would threaten users of HealthCare.gov 
which have not been shown to the public. These vulnerabilities 
only reinforce the need for answers, which I intend to pursue. 

Since December 15, when the administration offered a meeting 
with Secretary Sebelius and I flew back during a district work pe- 
riod, I have repeatedly tried to have HHS engage this committee 
to discuss the security testing documents. I even went so far, again 
I say, as to fly back to D.C. during the Christmas recess just to 
meet with Secretary Sebelius. Once back, even though she was in 
town, she declined for 2 days in a row to offer a meeting time, in- 
stead offering a junior level staff briefing. 

Until this point, the administration had not made a good faith 
effort to facilitate a meeting. However, I am pleased that HHS has 
sent a knowledgeable representative here today so that we can fi- 
nally have at least the beginnings of a conversation. We are joined 
today by a top information security officer at the Department of 
Health and Human Services, as well as an official from MITRE, 
the company hired by Health and Human Services to conduct the 
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security control assessments of HealthCare.gov and its many com- 
ponents. 

Again, because of the sensitive nature of the security testing doc- 
uments, we have handled them carefully to ensure sensitive tech- 
nical information does not end up in the wrong hands, and I will 
insist that our colleagues continue to respect that. 

I must, in closing, share with the American people a personal 
sensitivity. I believe these documents do reflect ongoing potential 
loss of personally identifiable information belonging to the Amer- 
ican people. However, if I am to take the administration at their 
word, there are no vulnerabilities unmitigated. Therefore, these 
documents are not a hacker’s access to your personal information, 
and yet, when asking for briefings, I get told that they have to be 
closed and in fact that these documents cannot be released. 

The administration cannot have it both ways. They can’t both 
say these documents represent completely mitigated vulnerabilities 
and then say, but they are a pathway, so they can’t be released. 
It is this committee’s intent to err on the side of the assumption 
that the administration continues to lie about the site being safe 
and secure. We can find no other basis but to assume that they 
were lying about the vulnerabilities on the day they went live on 
October 1st and that they are still lying. 

I don’t use the word lie without real forethought. You cannot con- 
tinue to tell people there is no problem; there was a problem on Oc- 
tober 1st. You cannot tell people they have been mitigated, and 
then tell them, but don’t release the documents because it is a 
pathway for hackers. 

So I will assume that the truth is the site was vulnerable on 
launch date, they went ahead with known vulnerabilities, and that 
they continue to have unknown areas that could cause information 
to be made available outside of those having a right to. We can 
take no other assumptions. I hope in the long run we find that it 
was far less than it appeared to be. But with that I recognize Mr. 
Cummings for his opening statement. 

Mr. Cummings. Thank you very much, Mr. Chairman. And I 
hope that our witnesses can shed some light on the many lies that 
you allege have been told. 

Today is the 23rd hearing our committee has held on the Afford- 
able Care Act. As I did at our previous hearing 2 weeks ago, I want 
to recognize the importance of what has been accomplished for the 
American people. And when I say the American people, I mean 
both Republican and Democrat, I mean all of America. 

The law went into full effect on January 1st, and now millions 
of people are obtaining health insurance coverage they did not have 
before. Some of them have never had healthcare insurance. They 
are receiving critical medical care, and they have the security of 
knowing they will not go bankrupt if they get into an accident or 
get sick. This is, without a doubt, a historic achievement. 

The law also put into place key protections for consumers. Insur- 
ance companies are now prohibited from discriminating — that is 
what I said, discriminating — against people with cancer, diabetes, 
heart disease, and preexisting conditions. Again, I am talking 
about our constituents, Americans, the ones who pay taxes and 
work hard every day. Insurance companies may not charge higher 
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prices for women, and millions of people are now receiving free pre- 
ventative care. The President has made it clear that he wants to 
keep people well because it is far cheaper to keep them well than 
to treat them after they are sick. 

There are also huge financial benefits. Health insurance compa- 
nies are now sending rebate checks to millions of people. Since the 
law was passed, we have seen the lowest growth in health care 
costs in 50 years. If we repeal the law today, it would increase our 
deficit by more than 1.5 trillion — not billion — trillion dollars. 

In terms of the security of the Web site, we received testimony 
just 2 weeks ago from chief information security officer of the CMS. 
She told us, and I quote, “There have been no successful security 
attacks on the FFM, and no person or group has maliciously 
accessed personally identifiable information,” end of quote. I want 
to repeat that: No person or group has maliciously accessed person- 
ally identifiable information on the HealthCare.gov Web site. 

The chief information security officer also said that following se- 
curity testing in December, HealthCare.gov has, and I quote, “a 
clean bill of health,” end of quote. 

Although no system is hack-proof, she said she is and I quote, 
“confident based on the recent security controls assessment and the 
additional security protections in place that the FFM is secure,” 
end of quote. 

I want to thank the chairman for proposing that today’s hearing 
be held in executive session, a motion that I fully support. The 
MITRE Corporation and the Department of Health and Human 
Services have warned the committee repeatedly that some of the 
security testing documents we have obtained contain highly sen- 
sitive information and can provide a road map for hackers and oth- 
ers seeking to do us harm. I think it is a positive step that the com- 
mittee is willing to hear from these officials firsthand about their 
concerns. Conducting the hearing in executive session will allow us 
to discuss this sensitive information directly with the experts. 

As we have heard on numerous occasions from the cybersecurity 
experts at MITRE and the Department, the security control assess- 
ments contain information about cybersecurity methods and the 
fundamental cyber architecture of HealthCare.gov that, and I 
quote, “transcends the specific security control vulnerabilities 
which have been the focus of news reports and the committee’s 
public inquiry,” end of quote. Even when specific vulnerabilities 
identified by security testing have been addressed, these experts 
warn that publicly disclosing the security control assessments could 
still jeopardize HealthCare.gov and other CMS data networks, and 
again I hope our witnesses will shed light on that since the chair- 
man has alleged that so many people have been lying. 

I believe our goal as a committee should be to conduct respon- 
sible oversight that provides the American public with information 
necessary to understand the security of the HealthCare.gov Web 
site, while at the same time protecting sensitive information that 
could endanger the Web site’s functioning or compromise the per- 
sonal information of the American people. 

Let me conclude by thanking the officials testifying here today. 
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Dr. Charest, this is your second time before the committee in as 
many weeks. Thank you for returning to address these vital ques- 
tions in closed session. 

Mr. Shomo, I understand that you are one of the engineers re- 
sponsible for conducting security testing of HealthCare.gov on be- 
half of MITRE Corporation, and we thank you for being here. 

As a nonprofit organization with a long history of running feder- 
ally funded research and development programs, MITRE is known 
and respected for its objectivity and independence. We appreciate 
everything you both are doing to remain vigilant and protect the 
security of HealthCare.gov. Millions of American families thank 
you for helping them to get access to lifesaving care that they so 
desperately need. 

And with that I yield back. 

Chairman ISSA. Thank you. 

I now ask unanimous consent that the document signed by 
Marilyn Tavenner, which is the authority to operate, be placed in 
the record. Without objection, so ordered. 

Pursuant to that document, which says that within 60 to 90 — I 
will read it verbatim — conduct a full SCA test on the EEM, includ- 
ing its three modules, E&E, EM, and PM, in a stable environment 
where all security controls can be tested within 60 to 90 days of 
going live on October 1st. 

Based on this document, which declares known vulnerabilities 
that must be tested and mitigated within 60 to 90 days, I now rec- 
ognize the gentleman from Elorida for a motion. 

Mr. Mica. Mr. Chairman, so the Committee on Oversight and 
Government Reform may proceed in executive session and continue 
its business pursuant to House Rule XI(g)(2), I move that the re- 
mainder of the hearing be closed to the public because the disclo- 
sure of the testimony to be heard may compromise sensitive law 
enforcement information. 

Chairman IsSA. The question is on agreeing to the motion to 
close the hearing. The clerk will call the roll. 

The Clerk. Mr. Issa? 

Chairman IssA. Yea. 

The Clerk. Mr. Issa votes aye. 

Mr. Mica? 

Mr. Mica. Aye. 

The Clerk. Mr. Mica votes aye. 

Mr. Turner? 

Mr. Turner. Aye. 

The Clerk. Mr. Turner votes aye. 

Mr. Duncan? 

Mr. Duncan. Aye. 

The Clerk. Mr. Duncan votes aye. 

Mr. McHenry? 

[No response.] 

The Clerk. Mr. Jordan? 

Mr. Jordan. Yes. 

The Clerk. Mr. Jordan votes aye. 

Mr. Chaffetz? 

Mr. Chaffetz. Aye. 

The Clerk. Mr. Chaffetz votes aye. 
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Mr. Walberg? 

Mr. Walberg. Aye. 

The Clerk. Mr. Walberg votes aye. 
Mr. Lankford? 

Mr. Lankford. Yes. 

The Clerk. Mr. Lankford votes aye. 
Mr. Amash? 

Mr. Amash. Yes. 

The Clerk. Mr. Amash votes aye. 

Mr. Gosar? 

Mr. Gosar. Yes. 

The Clerk. Mr. Gosar votes aye. 

Mr. Meehan? 

Mr. Meehan. Aye. 

The Clerk. Mr. Meehan votes aye. 
Mr. DesJarlais? 

Mr. DesJarlais. Aye. 

The Clerk. Mr. DesJarlais votes aye. 
Mr. Gowdy? 

Mr. Gowdy. Yes. 

The Clerk. Mr. Gowdy votes aye. 

Mr. Farenthold? 

Mr. Farenthold. Yes. 

The Clerk. Mr. Farenthold votes aye. 
Mr. Hastings? 

[No response.] 

The Clerk. Mrs. Lummis? 

[No response.] 

The Clerk. Mr. Woodall? 

[No response.] 

The Clerk. Mr. Massie? 

Mr. Massie. Aye. 

The Clerk. Mr. Massie votes aye. 

Mr. Collins? 

Mr. Collins. Aye. 

The Clerk. Mr. Collins votes aye. 

Mr. Meadows? 

Mr. Meadows. Aye. 

The Clerk. Mr. Meadows votes aye. 
Mr. Bentivolio? 

Mr. Bentivolio. Aye. 

The Clerk. Mr. Bentivolio votes aye. 
Mr. DeSantis? 

Mr. DeSantis. Aye. 

The Clerk. Mr. DeSantis votes aye. 
Mr. Cummings? 

Mr. Cummings. Yes. 

The Clerk. Mr. Cummings votes aye. 
Mrs. Maloney? 

Mrs. Maloney. Aye. 

The Clerk. Mrs. Maloney votes aye. 
Ms. Norton? 

[No response.] 

The Clerk. Mr. Tierney? 
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Mr. Tierney. Aye. 

The Clerk. Mr. Tierney votes aye. 

Mr. Clay? 

[No response.] 

The Clerk. Mr. Lynch? 

Mr. Lynch. Aye. 

The Clerk. Mr. Lynch votes aye. 

Mr. Cooper? 

Mr. Cooper. Aye. 

The Clerk. Mr. Cooper votes aye. 

Mr. Connolly? 

[No response.] 

The Clerk. Ms. Speier? 

[No response.] 

The Clerk. Mr. Cartwright? 

Mr. Cartwright. Aye. 

The Clerk. Mr. Cartwright votes aye. 

Ms. Duckworth? 

Ms. Duckworth. Aye. 

The Clerk. Ms. Duckworth votes aye. 

Ms. Kelly? 

[No response.] 

The Clerk. Mr. Davis? 

Mr. Davis. Aye. 

The Clerk. Mr. Davis votes aye. 

Mr. Welch? 

[No response.] 

The Clerk. Mr. Cardenas? 

[No response.] 

The Clerk. Mr. Horsford? 

[No response.] 

The Clerk. Ms. Lujan Grisham? 

[No response.] 

Chairman ISSA. The clerk will report the tally. 

The Clerk. Twenty-seven ayes, zero noes. 

Chairman IsSA. There being 27 ayes and zero noes, the motion 
is agreed to. The clerk will now clear the room. Only Members of 
Congress, cleared staff, the witnesses, and their cleared counsels 
may remain in the hearing room. The committee stands in a short 
recess. 

[Whereupon, at 10:27 a.m., the committee proceeded to closed 
session.] 
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DATE; 

TO: iVIaiilyti Tavernier 

FROM: James Kerr, Consortium Ariministrator for Medicare Health Plans Operations 

Henry Chao, Deputy Chief Information Officer & Office of Information Services 
Deputy Director 

SUBJECT: Federally Facilitated Miuketplacc-DECISION 


ISSUE : 

The Federal Infonnation Security Managemait Act (FISMA) requires tliat the various Federally 
Facilitated Mm-ketplace (FFM) systems - Enterprise and Eligibility (E&E), Financial 
Mjmagemeni (FM), and Plan Management (PM) successfully undergo a Security Control 
Assessment (SCA). Due to system readiuess Issu^, foe SCA was only partly completed, 'Diis 
constitutes a risk tliat must be accepted and mitigated to support the Marketplace Day 1 
operations. 

BACKGROUND: 


CMS utilizes mdependent and specialized contractors to test foe security readiuess of Its 
systems. Testing of the Marketplace has been on-going since inception as pail of foe CMS 
Expedited Life-Cycle process with the latest security testing occiuTuig in September of 2013. As 
with all new systems which are pending launch, there are iifocrcnt security risks witli not haviitg 
all code tested in a single envixonment, finally, the system requires rapid development and 
release of hot-fixes and patches so U is not always available or stable diuijig the duration of 
testing, 

From a security perspeclive. foe titpecls of the system that were not tested due to the ongouig 
development, exposed a level of uncertainty that can be deemed as a high risk for I-FM. 

Although throughout the three rounds of SCA testing all of tlie security controls have been tested 
on different versions of the system, the security contractor has not been able to t&st ail of the 
security controls in one complete version of the system. 

The risk associated with issuing an ATO for foe FFM will be reduced by instituting a two-part 
mitigation plan. 

First, CMS will implement the following security processes for foe first vear of operation of 
FFM: 

• Establish a dedicated security team under the Chief Information Officer (CIO) to 

monitor, track and ensure the mitigution plan activities are completed. The CIO and the 
Chief Information Security Officer (CISO) will report weekly on tlie progress to the 
l icaith Reform Operations Board; 


Contains Sensitive and Proprietary Business informalion - 
Maintain as Confidential 


CG1HR00002833 
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Page 2 - The Adiuiiustrator 

• Monitor and pcifonu weekly testing of all border device, iiKluding Internet facing web 
servers; 

• Conduct daiJy/weekly scans using the CISC’s continuous monitoring tools 

• Conduct a full SCA test on FFM (E&E, FM and PM) in a stable environment where nil 
security controls oao be tested within 60/90 days of going live on October 1 

Seconti, CMS will migrate the Marketplace systems to CMS’ Virtual Data Center (YDC) 
environment in Qi-20!4. This environment has been through a foil security assessment and has 
cm authority to operate. 


RECOiVLMENI>ATlQN : 

Issue an Autliority-to-Operate (ATO) for six months and implement the mitigation plan. The six- 
month period will allow the Marke^lace to normalize its development activities while enabling 
the security team to closely monitor activities and pertbrtn a complete SCA. 


Approved. 




Dale jgp_g_^0i3 


Disapproved. 


Date, 


Marilyn Tavenner 


Attachment; Fedoraily FHcililaied Marketplace Decision Memo Risk Acloiowlccigir.eat Signature Page 


Contains Sensitive and Proprietary Business information - 
Maintain as Confidential 
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DEPARlN-fENT OF HEALTH & HUMAN SERVICES 
Centers for ^Udlcare & Medicaid Services 
7500 Security BouJeward, Mail Stop 
Bultimore, Maryland 21244-1B50 



Federally Facilitated Marketplace Declsiou Memo 
Risk Aclcuawledgraeiil Signature Page 


We acknowledge tbe level of nsk Uie Ageitcy is accepting in the Federally Facilitated 
Marketplace (FFM), The mitlgacion plan does not reduce the risk to the FFM system itself gobg 
into operation on October 1,2013. However, the added protections do reduce Sac risk to tlic 
overall Marketplace operations wid vvill ensure that the FFM system is completely tested within 
the next 6 months. 
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